Biometric Security Products: VeriVoice Security Lock

I work at lot at a keyboard and have the stiff neck, sore fingers
and painful joints to prove it. I'm hoping someday to be able to do most
of my work by just talking to my computer. The makers of voice recognition
biometric software, however, are not trying to improve my physical health.
Instead, they hope to improve the health of your network by preventing
unauthorized access. They do so by identifying your unique voice. Some
of these systems require elaborate training and expensive hardware. Others
can exist on common desktop systems. Instead of entering a user ID and
password via the keyboard, you speak a predetermined catchphrase, or repeat
randomly selected phrases. If it's really you (or at least if the software
can determine that it's you) then you're in. Otherwise you're not.

VeriVoice is one such product but it's not meant as a foolproof network
or computer access system. Instead, it protects your password-protected
screensaver. Sort of. As you know, many Windows screenssavers can be turned
into password protected system lockouts with the check of a box. Idle
systems start the screensavers and only the possessor of the currently
logged on user account password can banish the screen saver and access
the desktop. After VeriVoice is installed, an attempt to access the screensaver
protected system asks for authentication via repetition of a VeriVoice
generated number.

Installation, Configuration and TestingYou can install VeriVoice on any Windows 2000 system. You do not
have to be in a domain, nor is your usage domain-dependent or restricted.
Running the installation (make sure your microphone is working!) sets
up the system and provides you the opportunity to "register" your voice.
You do so by repeating numerical phrases that are spoken to you and repeated
in a dialog box (see figure). I found myself repeating the rhythms of
the voice, instead of my own natural ones. This turns out to be not a
good idea. When VeriVoice is through with you, you're thanked for registering.

VeriVoice registers your voice by having you repeat
numeric phrases.

Next, select a screensaver and check the Password required box. When
the screensaver is activated, the system is locked. When you attempt to
access the system, VeriVoice requires you to repeat several numerical
phrases. From these, VeriVoice creates a template and attempts to match
it with the one saved during registration. A match lets you back on the
system.

Best Practices, ThoughtsUnfortunately, after three attempts at duplicating your voice print,
instead of denying access, VeriVoice gives you the opportunity to key
in your password and return to your desktop. In my mind, this invalidates
the reason for using VeriVoice in the first place and turns what could
be a valuable use of biometrics into little more than a curiosity. Remember,
I said that was my opinion. VeriVoice states that this is the way their
customers want the service to act. No one wants to potentially lose data
by having to reboot to regain access to a system. Besides, allowing only
the user back into a "locked" system goes against the normal
administrative access policy—if the Windows Lock Computer facility
is used instead of a password-protected screensaver, an administrator
can unlock the system. If VeriVoice denied this access, they would not
be supporting the Windows model.

AssessmentI'd say VeriVoice is useful for the end user who is forced to use
a locking screensaver, but annoyed at having to type in a password when
they return from lunch. It did make interesting conversation as my idle
system kept starting the screensaver while I spoke on the phone. Soon,
I found myself explaining to the caller that I was alone—even though
some woman and I were speaking in code. It may just be me, but I'd soon
be annoyed by the computer voice asking me to repeat the phrases and soon
be mumbling something, anything, three times so finally I could type in
my password and get on with it.

About the Author

Roberta Bragg, MCSE: Security, CISSP, Security+, and Microsoft MVP is a Redmond contributing editor and the owner of Have Computer Will Travel Inc., an independent firm specializing in information security and operating systems. She's series editor for Osborne/McGraw-Hill's Hardening series, books that instruct you on how to secure your networks before you are hacked, and author of the first book in the series, Hardening Windows Systems.